diff options
author | Ludwig Krispenz <lkrispen@redhat.com> | 2014-09-12 12:43:31 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-09-12 16:42:09 +0200 |
commit | 93b9d029ce147eb6b4c4ad36ce3c75e5fad37214 (patch) | |
tree | 2a942c44bdd1b79fecb4f40a5f6c4fff968ca539 | |
parent | f30eac04e17224cd90333b55d876526bb3265820 (diff) | |
download | freeipa-93b9d029ce147eb6b4c4ad36ce3c75e5fad37214.tar.gz freeipa-93b9d029ce147eb6b4c4ad36ce3c75e5fad37214.tar.xz freeipa-93b9d029ce147eb6b4c4ad36ce3c75e5fad37214.zip |
Update SSL ciphers configured in 389-ds-base
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
-rw-r--r-- | freeipa.spec.in | 6 | ||||
-rw-r--r-- | install/updates/20-sslciphers.update | 6 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 7 |
4 files changed, 12 insertions, 8 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index f1c8a057f..113829914 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -18,7 +18,7 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.2.16 +BuildRequires: 389-ds-base-devel >= 1.3.3.2 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units @@ -87,7 +87,7 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.2.20 +Requires: 389-ds-base >= 1.3.3.2 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -124,7 +124,7 @@ Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger >= 0.75.13 -Requires(pre): 389-ds-base >= 1.3.2.20 +Requires(pre): 389-ds-base >= 1.3.3.2 Requires: fontawesome-fonts Requires: open-sans-fonts diff --git a/install/updates/20-sslciphers.update b/install/updates/20-sslciphers.update new file mode 100644 index 000000000..b0c952f49 --- /dev/null +++ b/install/updates/20-sslciphers.update @@ -0,0 +1,6 @@ +# change configured ciphers +# the result of this update will be that all ciphers +# provided by NSS which ar not weak will be enabled +dn: cn=encryption,cn=config +only:nsSSL3Ciphers: +all +addifnew:allowWeakCipher: off diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index a6d24b94f..b137ffedc 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -14,6 +14,7 @@ app_DATA = \ 20-indices.update \ 20-nss_ldap.update \ 20-replication.update \ + 20-sslciphers.update \ 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 61ea52a6b..c15ef2ceb 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -655,11 +655,8 @@ class DsInstance(service.Service): conn.do_simple_bind(DN(('cn', 'directory manager')), self.dm_password) mod = [(ldap.MOD_REPLACE, "nsSSLClientAuth", "allowed"), - (ldap.MOD_REPLACE, "nsSSL3Ciphers", - "-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,\ -+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,\ -+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,\ -+tls_rsa_export1024_with_des_cbc_sha")] + (ldap.MOD_REPLACE, "nsSSL3Ciphers", "+all"), + (ldap.MOD_REPLACE, "allowWeakCipher", "off")] conn.modify_s(DN(('cn', 'encryption'), ('cn', 'config')), mod) mod = [(ldap.MOD_ADD, "nsslapd-security", "on")] |